From: H Carvey (keydet89@yahoo.com)
Date: Tue Aug 10 2004 - 12:01:38 EDT
>What I'm looking for are utilities that collect useful information on
>running production devices in the early stages of an eval. They need to
>be scriptable (ie command line) and should not have any installed
>components. The idea is that they can be executed remotely using shell
>scripts, psexec, or rolled into an msi package.
Refer to my previous response, but add WMI to that for Windows boxes, as well.
>Why play the service guessing game w/ headers &
>fingerprints when you could just find out first hand? Saves you effort
>& the customer $$. In my opinion, the days of black box pen testing are
>over. By starting on the box and working outward you can evaluate the
>successive layers of security providing for a systematic and
>comprehensive evaluation.
Agreed, excellent point. I was with Trident Data System's commercial consulting arm, and that's what we did w/ vulnerability assessments...we included it in the contract. By working cooperatively w/ the admins, we were able to uncover all of the dust bunnies, not just the first one we ran across (as in the case of a pen test).
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT